{ "type": "URL", "indicator": "https://learn.appletvapp.apple", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://learn.appletvapp.apple", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 2896496703, "indicator": "https://learn.appletvapp.apple", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 31, "pulses": [ { "id": "69d4db11500ea6dcbc2afd10", "name": "ZETALYTICS.COM PT2 CREATED 2 YEARS AGO by StreamMiningEx Public TLP: Green clone", "description": "", "modified": "2026-04-07T10:23:13.255000", "created": "2026-04-07T10:23:13.255000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65707f425121331bce0945cd", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 547, "FileHash-SHA256": 932, "URL": 1267, "domain": 140 }, "indicator_count": 2886, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "111 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a986b2f9afc18556b1181", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-12-02T02:37:31.842000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": "65676fdedd4bf87319fcd14a", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65676fdedd4bf87319fcd14a", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-11-29T17:07:42.477000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0bc9f2837fed9426cdd", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-12-06T16:26:36.394000", "created": "2023-12-06T16:26:36.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65709662f923e4766f55eb43", "name": "aka.ms bullshit $M signing Apple malware this is such crap whats up with peeps ICMP google DNS also NOT false positives you jerks", "description": "", "modified": "2023-12-06T15:42:26.949000", "created": "2023-12-06T15:42:26.949000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 319, "hostname": 125, "domain": 53, "URL": 318, "FileHash-SHA1": 17, "FileHash-MD5": 16 }, "indicator_count": 848, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657092f9499206cd87c73969", "name": "iphone", "description": "", "modified": "2023-12-06T15:27:53.981000", "created": "2023-12-06T15:27:53.981000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1768, "hostname": 808, "domain": 306, "URL": 1938, "FileHash-SHA1": 1 }, "indicator_count": 4821, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570917af75d1446c7c109eb", "name": "Apple's crappy FaceTime ~ Nothing has changed", "description": "", "modified": "2023-12-06T15:21:30.720000", "created": "2023-12-06T15:21:30.720000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 727, "domain": 213, "hostname": 342, "URL": 1029, "email": 1, "FileHash-MD5": 2 }, "indicator_count": 2314, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570810b6b17147085608503", "name": "Apple Music.app", "description": "", "modified": "2023-12-06T14:11:23.015000", "created": "2023-12-06T14:11:23.015000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "657080e2831409d23c8d24a5", "name": "iMessages.app 03.01.2022", "description": "", "modified": "2023-12-06T14:10:42.459000", "created": "2023-12-06T14:10:42.459000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1768, "hostname": 808, "domain": 306, "URL": 1937, "FileHash-SHA1": 1 }, "indicator_count": 4820, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707f425121331bce0945cd", "name": "ZETALYTICS.COM PT2", "description": "", "modified": "2023-12-06T14:03:46.820000", "created": "2023-12-06T14:03:46.820000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 547, "FileHash-SHA256": 932, "URL": 1267, "domain": 140 }, "indicator_count": 2886, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65707ea9c0f2231d524c00ae", "name": "www.zetalytics.com", "description": "", "modified": "2023-12-06T14:01:12.637000", "created": "2023-12-06T14:01:12.637000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 632, "URL": 747, "hostname": 368, "domain": 116, "email": 1, "FileHash-SHA1": 2 }, "indicator_count": 1866, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a980f14b5a32303bf865b", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-02T02:35:59.820000", "created": "2023-12-02T02:35:59.820000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 12, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a978cf39ec3cdc99278cc", "name": "RedLine", "description": "", "modified": "2023-12-02T02:33:48.848000", "created": "2023-12-02T02:33:48.848000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423a941aa6527fbbe40a53", "export_count": 13, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "869 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6545a281ce7426288033f81e", "name": "CNC server.telegrafix.com", "description": "", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-04T01:46:41.933000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65423978ca5e5c9931b586a5", "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65423a941aa6527fbbe40a53", "name": "RedLine", "description": "CNC server.telegrafix.com. Brute force passwords using SSH on server RELAY\nTargeted individual, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:46:28.418000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 45, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 222, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65423978ca5e5c9931b586a5", "name": "CNC server.telegrafix.com", "description": "Brute force passwords using SSH on server RELAY\nTargeted individual, adult content, malvertizing, keylogging, monitoring, hacking, CNC, remoted devices, tracking, malware attack,etc.\n(Auto populated: The last HTTPS certificate was signed by the US government's Department of Homeland Security (DHS), but what exactly is it and what does the certificate actually say?. and how does it look?)", "modified": "2023-12-01T10:01:56.921000", "created": "2023-11-01T11:41:44.861000", "tags": [ "record type", "ttl value", "data", "v3 serial", "number", "issuer", "cus cnr3", "olet", "subject public", "key info", "key algorithm", "key identifier", "server", "whois lookup", "creation date", "dnssec", "domain name", "status", "abuse contact", "email", "registrar abuse", "contact phone", "date", "whois lookups", "iana id", "domain status", "registrar url", "registrar whois", "first", "execution", "tsara brashears", "ssl certificate", "april", "threat roundup", "october", "december", "roundup", "september", "whois record", "blustealer", "raspberry robin", "redline stealer", "gopuram", "hacktool", "skynet", "android", "quasar", "download", "malware", "hijacker", "monitoring", "installer", "ermac", "attack", "blackguard", "core", "awful", "twitter", "agent tesla", "trickbot", "ursnif", "chaos", "metasploit", "formbook", "metro", "name verdict", "exit", "traffic", "node tcp", "et tor", "known tor", "relayrouter", "united", "team malware", "firehol et", "tor known", "redline", "detection list", "cisco umbrella", "site", "safe site", "alexa top", "million", "malicious url", "blacklist", "phishing", "union", "team", "bank", "unsafe", "contacted", "bundled", "project", "ransomexx" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Lithuania" ], "malware_families": [ { "id": "RedLine", "display_name": "RedLine", "target": null } ], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 42, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 3674, "domain": 1422, "FileHash-SHA1": 117, "FileHash-SHA256": 3178, "URL": 8884, "email": 2, "CVE": 3, "FileHash-MD5": 167 }, "indicator_count": 17447, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "870 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "64e7ab22bbbb24b60b0ede98", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-08-24T19:10:26.385000", "created": "2023-08-24T19:10:26.385000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "6228c8698878b924d3b309b6", "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "969 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63d3dc34e0eb41b05f27cdc7", "name": "aka.ms bullshit $M signing Apple malware this is such crap whats up with peeps ICMP google DNS also NOT false positives you jerks", "description": "", "modified": "2023-02-26T14:01:12.597000", "created": "2023-01-27T14:14:12.143000", "tags": [ "https://aka.ms/vs/17/release/vc_redist.x64.exe", "ICMP" ], "references": [ "g60f0f458e32745ffae98173760f0a7530a51e1b2e79a47cb9dbc3411347099be.json" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "callmeDoris", "id": "205385", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 318, "hostname": 125, "FileHash-SHA256": 319, "domain": 53, "FileHash-SHA1": 17, "FileHash-MD5": 16 }, "indicator_count": 848, "is_author": false, "is_subscribing": null, "subscriber_count": 90, "modified_text": "1148 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6342b2b087554c9d5209b50b", "name": "iphone", "description": "", "modified": "2022-11-09T00:03:32.403000", "created": "2022-10-09T11:38:24.078000", "tags": [], "references": [ "iMessages.app" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "622775d4f2c38a89fdd0128a", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Lazzo115", "id": "210949", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 306, "URL": 1938, "hostname": 808, "FileHash-SHA256": 1768, "FileHash-SHA1": 1 }, "indicator_count": 4821, "is_author": false, "is_subscribing": null, "subscriber_count": 8, "modified_text": "1257 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "63002a17b34d067bf9ed7e35", "name": "Apple's crappy FaceTime ~ Nothing has changed", "description": "", "modified": "2022-09-18T00:03:55.814000", "created": "2022-08-20T00:25:59.852000", "tags": [ "whois record", "whois", "vt graph", "collection", "devils work", "dsp1", "keepaliveyes", "mac malware", "ip check", "chinese", "qakbot", "ransomexx", "quasar", "mirai", "Apple Zero Day", "Ransomware" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" } ], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 11, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 727, "hostname": 342, "email": 1, "domain": 213, "URL": 1029, "FileHash-MD5": 2 }, "indicator_count": 2314, "is_author": false, "is_subscribing": null, "subscriber_count": 411, "modified_text": "1309 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "62310336c0071a6c73cd7c34", "name": "AppleAutoUpdate", "description": "", "modified": "2022-04-14T00:01:40.805000", "created": "2022-03-15T21:20:54.633000", "tags": [ "WannaCry", "Apple Zero Day" ], "references": [ "AppleAutoUpdate.pdf" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [ { "id": "Win.Ransomware.WannaCry-9856297-0", "display_name": "Win.Ransomware.WannaCry-9856297-0", "target": null } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 9, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4607, "hostname": 1953, "domain": 619, "FileHash-SHA256": 2226 }, "indicator_count": 9405, "is_author": false, "is_subscribing": null, "subscriber_count": 411, "modified_text": "1466 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6228c8698878b924d3b309b6", "name": "Apple Music.app", "description": "", "modified": "2022-04-08T00:05:40.239000", "created": "2022-03-09T15:31:53.378000", "tags": [ "whois", "whois record", "ssl certificate", "chinese", "ip check", "mac malware", "collection ii", "steg icons", "wired", "collection", "korlia", "trickbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 2278, "hostname": 1559, "domain": 324, "FileHash-SHA256": 1235, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1472 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "622775d4f2c38a89fdd0128a", "name": "iMessages.app 03.01.2022", "description": "", "modified": "2022-04-07T00:04:02.553000", "created": "2022-03-08T15:27:16.349000", "tags": [], "references": [ "iMessages.app" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "domain": 306, "URL": 1937, "hostname": 808, "FileHash-SHA256": 1768, "FileHash-SHA1": 1 }, "indicator_count": 4820, "is_author": false, "is_subscribing": null, "subscriber_count": 408, "modified_text": "1473 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6219004f53e3ae2316efea12", "name": "ZETALYTICS.COM PT2", "description": "", "modified": "2022-03-27T00:00:39.057000", "created": "2022-02-25T16:14:07.302000", "tags": [ "ssl certificate", "whois", "whois record" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China" ], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 5, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 547, "URL": 1267, "domain": 140, "FileHash-SHA256": 932 }, "indicator_count": 2886, "is_author": false, "is_subscribing": null, "subscriber_count": 407, "modified_text": "1484 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6211eaee20bc9b0534df6133", "name": "www.zetalytics.com", "description": "", "modified": "2022-03-24T00:00:00.271000", "created": "2022-02-20T07:17:02.872000", "tags": [ "ssl certificate", "whois record", "whois", "key identifier", "x509v3 subject", "v3 serial", "number", "issuer", "cus cngo", "daddy secure", "g2 lscottsdale", "ouhttp", "validity", "info", "date", "tucows domains", "server", "algorithm", "iana id", "registrar url", "status", "registrar whois", "rank value", "ingestion time", "statvoo", "utc alexa", "utc cisco", "umbrella", "submission", "history first", "analysis", "utc http", "response final", "url https", "ip address", "status code", "body length", "kb body", "tools", "Ransomware", "POSSIBLE ETERNAL BLUE" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "China", "Australia", "Belgium" ], "malware_families": [ { "id": "TEL:NoPowShell!msil", "display_name": "TEL:NoPowShell!msil", "target": null }, { "id": "PWS:Win32/QQPass.GP", "display_name": "PWS:Win32/QQPass.GP", "target": "/malware/PWS:Win32/QQPass.GP" }, { "id": "Win.Malware.Razy-6783523-0", "display_name": "Win.Malware.Razy-6783523-0", "target": null }, { "id": "Win.Trojan.Pasta-827", "display_name": "Win.Trojan.Pasta-827", "target": null }, { "id": "Ransom:Win32/Wannaren.A", "display_name": "Ransom:Win32/Wannaren.A", "target": "/malware/Ransom:Win32/Wannaren.A" }, { "id": "Win.Malware.Zusy-6840460-0", "display_name": "Win.Malware.Zusy-6840460-0", "target": null }, { "id": "Win.Trojan.Agent-1201096", "display_name": "Win.Trojan.Agent-1201096", "target": null }, { "id": "Win32:Dropper-GUP\\ [Drp]", "display_name": "Win32:Dropper-GUP\\ [Drp]", "target": null }, { "id": "Worm:Win32/Macoute", "display_name": "Worm:Win32/Macoute", "target": "/malware/Worm:Win32/Macoute" }, { "id": "Win32:Sobig-H\\ [Wrm]", "display_name": "Win32:Sobig-H\\ [Wrm]", "target": null }, { "id": "Win.Worm.Sobig-5", "display_name": "Win.Worm.Sobig-5", "target": null }, { "id": "Backdoor:Win32/Berbew", "display_name": "Backdoor:Win32/Berbew", "target": "/malware/Backdoor:Win32/Berbew" }, { "id": "Win.Trojan.Crypted-30", "display_name": "Win.Trojan.Crypted-30", "target": null }, { "id": "#VirTool:Win32/Obfuscator.ADB", "display_name": "#VirTool:Win32/Obfuscator.ADB", "target": "/malware/#VirTool:Win32/Obfuscator.ADB" }, { "id": "Win.Trojan.Kazy-6878", "display_name": "Win.Trojan.Kazy-6878", "target": null }, { "id": "Win32:VB-FBX", "display_name": "Win32:VB-FBX", "target": null }, { "id": "Win.Worm.Pajetbin-6726648-0", "display_name": "Win.Worm.Pajetbin-6726648-0", "target": null }, { "id": "Trojan:Win32/Vindor.B", "display_name": "Trojan:Win32/Vindor.B", "target": "/malware/Trojan:Win32/Vindor.B" }, { "id": "MSIL:BrowseFox-FC\\ [Adw]", "display_name": "MSIL:BrowseFox-FC\\ [Adw]", "target": null }, { "id": "Win.Ransomware.Teslacrypt-7082109-1", "display_name": "Win.Ransomware.Teslacrypt-7082109-1", "target": null }, { "id": "ALF:HSTR:Trojan:Win32/Injector.YY!bit", "display_name": "ALF:HSTR:Trojan:Win32/Injector.YY!bit", "target": null }, { "id": "Win32:Papras-AX\\ [Trj]", "display_name": "Win32:Papras-AX\\ [Trj]", "target": null }, { "id": "ALF:HSTR:MITM:UtilAds", "display_name": "ALF:HSTR:MITM:UtilAds", "target": null }, { "id": "Win.Malware.Autoit-6753917-0", "display_name": "Win.Malware.Autoit-6753917-0", "target": null } ], "attack_ids": [], "industries": [ "Technology" ], "TLP": "white", "cloned_from": null, "export_count": 4, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Kailula4", "id": "131997", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 368, "URL": 747, "domain": 116, "FileHash-SHA256": 632, "email": 1, "FileHash-SHA1": 2 }, "indicator_count": 1866, "is_author": false, "is_subscribing": null, "subscriber_count": 409, "modified_text": "1487 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "pegacloud.net", "g60f0f458e32745ffae98173760f0a7530a51e1b2e79a47cb9dbc3411347099be.json", "iMessages.app", "message.htm.com | malware ransomware spreader", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "5.79.79.211 | command and control", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "IDS: Observed Suspicious UA (Mozilla/5.0)", "apple.com | malicious \u2022 geo tracking", "172.93.103.100 | command and control", "45.33.30.197 | command and control", "37.48.65.150 | command and control", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "45.79.19.196 | command and control", "ocsp2.apple.com | IP 17.253.29.199", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "IDS: Data POST to an image file (jpg)", "185.107.56.200 | command and control", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "tulach.cc. | Malicious compromises \u2022 Critical", "96.126.123.244 | command and control", "nr-data.net | Apple Private Data Collection", "http://fakejuko.site40/", "103.246.145.111 | scanning host", "IDS: Win32.Scar.hhrw POST", "IDS: Win32/Ibashade CnC Beacon", "72.14.178.174 | command and control", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "AppleAutoUpdate.pdf", "45.33.2.79 | command and control", "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "45.33.18.44 | command and control", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "ussjc9-edge-bx-008.ts.apple.com | malware", "45.33.23.183 | command and control", "45.33.20.235 | command and control", "20.99.186.246 | command and contro", "198.58.118.167 | command and control", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214", "45.56.79.23 | command and control", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "72.14.185.43 | command and control", "https://tulach.cc/ | phishing", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "IDS: OnionDuke CnC Beacon 1" ], "related": { "alienvault": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 0 }, "other": { "adversary": [], "malware_families": [ "Nimnul", "Trojanspy", "Win.worm.pajetbin-6726648-0", "Win32:papras-ax\\ [trj]", "Win.trojan.crypted-30", "Neworder.doc", "Win.worm.sobig-5", "Win.trojan.pasta-827", "Tel:nopowshell!msil", "Backdoor:win32/berbew", "Ransom:win32/wannaren.a", "Win.trojan.kazy-6878", "Et", "Ramnit", "Win.malware.autoit-6753917-0", "Win32:vb-fbx", "Win32:dropper-gup\\ [drp]", "Generic", "Win32:sobig-h\\ [wrm]", "Win.malware.zusy-6840460-0", "Msil:browsefox-fc\\ [adw]", "Worm:win32:drolnux", "Pws:win32/qqpass.gp", "Tulach malware", "Ratel", "Worm:win32/macoute", "Win.malware.razy-6783523-0", "Quasar rat", "Win.ransomware.teslacrypt-7082109-1", "Alf:hstr:mitm:utilads", "Redline", "Win32:wormx-gen [wrm]", "Pegasus - mob-s0005", "Alf:hstr:trojan:win32/injector.yy!bit", "Webtoolbar", "Trojan:win32/vindor.b", "Win.ransomware.wannacry-9856297-0", "Ransomexx", "Win.trojan.agent-1201096", "Botnet army", "#virtool:win32/obfuscator.adb" ], "industries": [ "Telecommunications", "Government", "Technology", "Public" ], "unique_indicators": 80362 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/appletvapp.apple", "whois": "http://whois.domaintools.com/appletvapp.apple", "domain": "appletvapp.apple", "hostname": "learn.appletvapp.apple" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 31, "pulses": [ { "id": "69d4db11500ea6dcbc2afd10", "name": "ZETALYTICS.COM PT2 CREATED 2 YEARS AGO by StreamMiningEx Public TLP: Green clone", "description": "", "modified": "2026-04-07T10:23:13.255000", "created": "2026-04-07T10:23:13.255000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": "65707f425121331bce0945cd", "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "msudosos", "id": "381696", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 547, "FileHash-SHA256": 932, "URL": 1267, "domain": 140 }, "indicator_count": 2886, "is_author": false, "is_subscribing": null, "subscriber_count": 48, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6952fbca42c1b0da7431e6a7", "name": "Pegasus / Pegacloud - Infiltration (10-2013 or 2014 to Current/ Ongoing) ", "description": "", "modified": "2025-12-29T22:08:10.280000", "created": "2025-12-29T22:08:10.280000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": "6877422df67773a07ef450c2", "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 140, "modified_text": "111 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6877422df67773a07ef450c2", "name": "Pegasus / Pegacloud - Infiltration", "description": "Pegasus IoC\u2019s found in the periphery of research. Appears target contacted a \u2018fake host\u2019 after finding name in multiple highly malicious domains. May have appeared between 12/2013 - 11-2014. Target was contacted by telephone and asked \u2018 have you checked Googled yourself\u2019, to which target answered \u2018Not really\u2019. Target was told \u2018you really should Google yourself\u2019. Target, upset about content clicked and began a takedown effort with host.\n\nThis seems to be at the start of many malicious campaigns. Requires further investigation.", "modified": "2025-08-15T05:01:22.570000", "created": "2025-07-16T06:09:49.704000", "tags": [ "backdoor", "cyprus", "trojan", "mtb sep", "passive dns", "ddos", "mtb oct", "mtb aug", "ipv4 add", "smokeloader", "trojandropper", "extraction", "se extraction", "failed", "data upload", "enter s", "enter sc", "data u", "extrac please", "prop", "extre data", "type", "extr data", "include review", "exclude", "find s", "typ data", "source tir", "extri", "exclude sugges", "se type", "extra", "include data", "exclude review", "show", "showinil tvnes", "dom dom", "sc cat959", "drop", "pulse pulses", "worm", "files show", "date hash", "avast avg", "win32", "susp", "cyprus showing", "entries", "next associated", "urls show", "date checked", "url hostname", "server response", "ip address", "google safe", "server", "registrar abuse", "iana id", "contact phone", "dnssec", "domain status", "registrar url", "registrar whois", "date", "registrar", "se cre", "pul use", "url list", "status http", "linkid182227", "linkid151642", "first", "domain list", "ii llc", "sc data", "ukl extract", "hiloti style", "msle", "win3 data", "onio", "observea", "data data", "stop data", "monitored target", "tsara", "pegasus", "social engineering" ], "references": [ "http://fakejuko.site40/", "pegacloud.net", "IDS: Hiloti Style GET to PHP with invalid terse MSIE headers", "IDS: Win32/Ibashade CnC Beacon", "IDS: Win32.Scar.hhrw POST", "IDS: Trojan.Win32.Cosmu.cdqg Checkin", "IDS: OnionDuke CnC Beacon 1", "IDS: Observed Suspicious UA (Mozilla/5.0)", "IDS: Data POST to an image file (jpg)", "cwt-cwtcxp1-dt1.pegacloud.net\t\u2022 fortrea-prod1.pegacloud.net \u2022 ssl-ssldmp-dt1-sftp.pegacloud.net \u2022 13.40.20.221 \u2022 44.215.155.206 \u2022 44.226.180.214" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [ { "id": "Win32:WormX-gen [Wrm]", "display_name": "Win32:WormX-gen [Wrm]", "target": null }, { "id": "Worm:Win32:Drolnux", "display_name": "Worm:Win32:Drolnux", "target": null }, { "id": "Pegasus - MOB-S0005", "display_name": "Pegasus - MOB-S0005", "target": null } ], "attack_ids": [], "industries": [ "Technology", "Telecommunications", "Government" ], "TLP": "white", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Q.Vashti", "id": "337942", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "hostname": 1630, "URL": 4078, "FileHash-MD5": 245, "FileHash-SHA1": 246, "FileHash-SHA256": 2561, "CVE": 2, "domain": 1307, "email": 1 }, "indicator_count": 10070, "is_author": false, "is_subscribing": null, "subscriber_count": 141, "modified_text": "247 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "66507a6eb3fde0552a6ebd9d", "name": "Sweet QuaDreams Apple | Hostile Spy campaign | Service modifier (Updated) ", "description": "", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:30:54.138000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": "6650751b8dd6c7d00f0d7478", "export_count": 18, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 226, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6650751b8dd6c7d00f0d7478", "name": "ET INFO Terse | Apple | Win.Trojan.Zbot-6598057-0", "description": "Tags, results generated by Level Blue OTX. AlienVault\nMy limited research results: \nApple | CIDR\n17.0.0.0/8\nFileHash-SHA256 d9ff17dd19a01ad64a77df6837e566319d16a235ac7223b9f565f470e57154c8 | Antivirus Detections\nWin32:Dropper-gen, Adware.Xadupi.B, Mirai, Win.Trojan.Zbot-6598057-0,\na variant of Win32/ELEX.IE potentially unwanted, Adware.Xadupi.B, Artemis!69E9EFD2E75E\nIDS Detections:\nET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile.\nYara Detections: dbgdetect_funcs,\nAlerts: injection_runpe,\nnetwork_icmp,\nallocates_execute_remote_process,\npersistence_autorun,\ncreates_service,\ninjection_modifies_memory,\ninjection_write_memory,\nprocess_martian,\nransomware_extensions,\nransomware_mass_file_delete", "modified": "2024-06-23T10:00:24.005000", "created": "2024-05-24T11:08:10.044000", "tags": [ "technology", "apple computer", "dns replication", "date", "domain", "lookups", "city", "apple abuse", "orgid", "rtechhandle", "june", "threat roundup", "triad", "usps", "us citizens", "data theft", "august", "apple", "sweet quadreams", "spyware vendor", "get http", "png image", "rgba", "ms windows", "united", "intel", "windows nt", "as16509", "pe32", "crlf line", "win32", "write", "next", "artemis", "malware", "copy", "cname", "unknown", "passive dns", "scan endpoints", "all scoreblue", "pulse submit", "url analysis", "urls", "pagewritecopy", "pageexecuteread", "nx00xffxe2", "nx00xc7d", "memcommit", "pagenoaccess", "memreserve", "service", "high process", "injection t1055" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America" ], "malware_families": [], "attack_ids": [ { "id": "T1031", "name": "Modify Existing Service", "display_name": "T1031 - Modify Existing Service" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1060", "name": "Registry Run Keys / Startup Folder", "display_name": "T1060 - Registry Run Keys / Startup Folder" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 20, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1524, "CIDR": 1, "URL": 5189, "email": 2, "hostname": 867, "FileHash-MD5": 117, "FileHash-SHA1": 27, "domain": 403 }, "indicator_count": 8130, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "665 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a986b2f9afc18556b1181", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-12-02T02:37:31.842000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": "65676fdedd4bf87319fcd14a", "export_count": 30, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 224, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "65676fdedd4bf87319fcd14a", "name": "RATel \u2022 Apple iOS \u2022 NEWORDER.doc \u2022 http://ocsp2.apple.com/", "description": "", "modified": "2023-12-29T16:03:00.220000", "created": "2023-11-29T17:07:42.477000", "tags": [ "ssl certificate", "whois record", "contacted", "apple", "historical ssl", "referrer", "resolutions", "highly targeted", "execution", "password", "ratel", "core", "hacktool", "attack", "life", "android", "project", "chaos", "ransomexx", "quasar", "name verdict", "no data", "tag count", "threat report", "summary", "sample", "samples", "detection list", "blacklist", "count blacklist", "tag tag", "pattern match", "script", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "beginstring", "mitre att", "null", "date", "unknown", "error", "span", "class", "generator", "critical", "body", "meta", "hybrid", "general", "click", "strings", "refresh", "tools", "ip summary", "url summary", "cisco umbrella", "site", "safe site", "million", "team", "microsoft", "malicious url", "phishing", "union", "bank", "traffic", "tor known", "tor relayrouter", "node tcp", "spammer", "anonymizer", "united", "firehol gozi", "cname", "aaaa", "record type", "ttl value", "algorithm", "data", "v3 serial", "number", "cus cnapple", "public server", "ecc ca", "g1 oapple", "validity", "public key", "info", "domain status", "server", "redacted for", "privacy tech", "privacy admin", "email", "registrar abuse", "country", "postal code", "code", "csc corporate", "domains", "registrar url", "registry domain", "contact phone", "registrar whois", "security", "dns replication", "servers", "passive dns", "urls", "creation date", "rsa cn", "ca g2", "search", "record value", "object", "certificate", "orgtechhandle", "apple computer", "orgtechref", "rauschenberg", "rtechhandle", "rtechref", "network", "registry arin", "country us", "domain", "lookups", "city", "orgid", "stevens creek", "city center", "dropped", "pe resource", "collections", "contacted urls", "stealer", "nanocore", "malicious", "installer", "neworder.doc", "et", "http response", "final url", "serving ip", "address", "status code", "body length", "kb body", "sha256", "headers", "setcookie geous", "cookie", "malware site", "malicious site", "genericm", "phishing site", "malware", "lazarus", "tulach", "tsara brashears", "targeting", "malvertizing", "ios", "icloud compromise", "apple support compromise", "apple app store compromise", "t-mobile", "metroby-tmo", "metro", "dgs", "qwest", "zombie devices", "python infostealer", "soc", "red", "galaxy watch", "gear s", "watch", "samsung galaxy", "app store", "gear s2", "gear sport", "gear s3", "active", "active2", "galaxy", "blacklist https", "tld count", "scan endpoints", "all search", "otx octoseek", "hostname", "pulse submit", "url analysis", "files", "verdict", "samsug", "galaxy watch", "registrar", "showing", "as43350 nforce", "united kingdom", "alexa top", "alexa" ], "references": [ "https://www.hybrid-analysis.com/sample/c52df9e010faa90f567fb29345b551506398b450a3c68c64e40f337b7b054bca", "ocsp2.apple.com | IP 17.253.29.199", "5b574f4989724909s@anonymised.email | contact information seems evasive and illegitimate", "CA Issuers - http://certs.apple.com/apsecc12g1.der OCSP - http://ocsp.apple.com/ocsp03-apsecc12g101 X509v3 Basic Constraints: CA:FALSE", "37.48.65.150 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.33.20.235 | command and control", "45.33.23.183 | command and control", "45.33.30.197 | command and control", "45.56.79.23 | command and control", "45.79.19.196 | command and control", "172.93.103.100 | command and control", "198.58.118.167 | command and control", "185.107.56.200 | command and control", "45.33.18.44 | command and control", "45.33.2.79 | command and control", "45.79.19.196 | command and control", "5.79.79.211 | command and control", "72.14.178.174 | command and control", "72.14.178.174 | command and control", "72.14.185.43 | command and control", "96.126.123.244 | command and control", "20.99.186.246 | command and contro", "103.246.145.111 | scanning host", "https://tulach.cc/ | phishing", "tulach.cc. | Malicious compromises \u2022 Critical", "https://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbian | Apple password cracker \u2022 Cyber attack targeting SA victim", "https://www.anyxxxtube.net/search-porn/tsara-brashears/ | phishing attack \u2022 retaliation after alleged SA by Doctor of Physical Therapy", "https://twitter.com/PORNO_SEXYBABES. | Botnetwork T-Mobile attack", "http://103.246.145.111/gateonl.php?hwid=WALKER-PC-WALKER&cpuname=Intel | Dangerous Malware", "message.htm.com | malware ransomware spreader", "ussjc9-edge-bx-008.ts.apple.com | malware", "nr-data.net | Apple Private Data Collection", "https://applemusic-spotlight.myunidays.com/US/en-US? | \"Zero Click\" remote attack \u2022 enters through Apple apps ( apple tv, iTunes,etc)", "apple.com | malicious \u2022 geo tracking", "https://itunes.apple.com/app/apple-store/id284815942/us/app/samsung-galaxy-watch-gear-s/id1117310635 | Blog", "https://apps.apple.com/us/app/samsung-galaxy-watch-gear-s/id1117310635 | App argument", "drip.colorado.edu = colorado.edu @ University of Colorado Boulder" ], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Netherlands", "United Kingdom of Great Britain and Northern Ireland" ], "malware_families": [ { "id": "NEWORDER.doc", "display_name": "NEWORDER.doc", "target": null }, { "id": "RATel", "display_name": "RATel", "target": null }, { "id": "Tulach Malware", "display_name": "Tulach Malware", "target": null }, { "id": "ET", "display_name": "ET", "target": null }, { "id": "Ramnit", "display_name": "Ramnit", "target": null }, { "id": "Nimnul", "display_name": "Nimnul", "target": null }, { "id": "Botnet Army", "display_name": "Botnet Army", "target": null }, { "id": "RansomEXX", "display_name": "RansomEXX", "target": null }, { "id": "Quasar RAT", "display_name": "Quasar RAT", "target": null } ], "attack_ids": [ { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1090", "name": "Proxy", "display_name": "T1090 - Proxy" }, { "id": "TA0011", "name": "Command and Control", "display_name": "TA0011 - Command and Control" }, { "id": "TA0009", "name": "Collection", "display_name": "TA0009 - Collection" }, { "id": "TA0037", "name": "Command and Control", "display_name": "TA0037 - Command and Control" }, { "id": "T1562.003", "name": "Impair Command History Logging", "display_name": "T1562.003 - Impair Command History Logging" }, { "id": "T1059.002", "name": "AppleScript", "display_name": "T1059.002 - AppleScript" }, { "id": "T1548", "name": "Abuse Elevation Control Mechanism", "display_name": "T1548 - Abuse Elevation Control Mechanism" }, { "id": "T1114", "name": "Email Collection", "display_name": "T1114 - Email Collection" }, { "id": "T1078.004", "name": "Cloud Accounts", "display_name": "T1078.004 - Cloud Accounts" }, { "id": "T1059.007", "name": "JavaScript", "display_name": "T1059.007 - JavaScript" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1071.003", "name": "Mail Protocols", "display_name": "T1071.003 - Mail Protocols" }, { "id": "T1071.004", "name": "DNS", "display_name": "T1071.004 - DNS" }, { "id": "T1448", "name": "Carrier Billing Fraud", "display_name": "T1448 - Carrier Billing Fraud" }, { "id": "T1449", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "display_name": "T1449 - Exploit SS7 to Redirect Phone Calls/SMS" }, { "id": "T1036.004", "name": "Masquerade Task or Service", "display_name": "T1036.004 - Masquerade Task or Service" }, { "id": "T1003", "name": "OS Credential Dumping", "display_name": "T1003 - OS Credential Dumping" } ], "industries": [ "Telecommunications", "Public" ], "TLP": "white", "cloned_from": null, "export_count": 39, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 1, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 4559, "FileHash-MD5": 187, "FileHash-SHA1": 161, "FileHash-SHA256": 2628, "domain": 744, "hostname": 1598, "email": 11, "CVE": 1, "CIDR": 2 }, "indicator_count": 9891, "is_author": false, "is_subscribing": null, "subscriber_count": 218, "modified_text": "842 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "656a9c2eeebaf7b69d0e12ba", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "", "modified": "2023-12-20T17:01:34.161000", "created": "2023-12-02T02:53:34.585000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": "655b9a90e44a70d0fbbde981", "export_count": 35, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "scoreblue", "id": "254100", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_254100/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 225, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "655b9a90e44a70d0fbbde981", "name": "Domain Seized - http://server3.elgenero.com/cgi-bin/xdown.cgi", "description": "Domain stated ' SEIZED' by Departing Homeland Security\nSeizure links below seem a bit questionable: \n\nhttp://server3.elgenero.com/iprc_seized_banner.png\nhttp://kickass.to/IPRC_Seized_2016_kat.jpg\nhttp://kickass.to/the-adventures-of-tom-sawyer-t2068537.html\t\nhttp://bludv.tv/iprc_seized_banner.png\nhttp://z-lib.org/iprc_seized_banner.png\nIPRC_Seized_2016_kat.jpg\n... just banners? Moved and continue? Okay.\nListed below also listed in seized domain. Domains,URL's and Botnetwork Hosts still seem to exist.\nhttp://alohatube.xyz/search/tsara-brashears\nalohatube.xyz\nhttps://alohatube.xyz/search/tsara-brashears\nhttps://www.anyxxxtube.net/search-porn/tsara-brashears/\nhttp://45.159.189.105/bot/regex\t\nhttps://www.pornhub.com/gifs/search?search=tsara+lynn+brashears+lesbia\t\nnr-data.net", "modified": "2023-12-20T17:01:34.161000", "created": "2023-11-20T17:42:40.771000", "tags": [ "safe site", "million", "cisco umbrella", "alexa top", "site", "tag count", "tld count", "jul jan", "team alexa", "count blacklist", "maltiverse", "redirme", "cronup threat", "intel malware", "malicious site", "malware", "no data", "threat report", "ip summary", "url summary", "summary", "sample", "samples", "detection list", "blacklist", "united", "cyber threat", "engineering", "team", "malware site", "covid19", "phishing site", "phishing", "phishtank", "bank", "zbot", "malicious", "download", "suppobox", "zeus", "nymaim", "matsnu", "artemis", "virut", "panama", "smsspy", "cobalt strike", "emotet", "bradesco", "stealer", "facebook", "service", "simda", "runescape", "cutwail", "unruy", "bandoo", "tinba", "pykspa", "domaiq", "ave maria", "citadel", "pony", "keitaro", "ponmocup", "ransomware", "pattern match", "et tor", "known tor", "relayrouter", "exit", "node traffic", "misc attack", "sha256", "sha1", "ascii text", "date", "unknown", "body", "error", "class", "generator", "critical", "meta", "hybrid", "general", "local", "click", "strings", "malicious url", "union", "unsafe", "node tcp", "traffic", "tor known", "tor relayrouter", "spammer", "threats et", "ssl certificate", "contacted", "whois record", "whois whois", "historical ssl", "apple ios", "resolutions", "bundled", "referrer", "collections", "android", "banker", "keylogger", "generic malware", "generic", "blacklist http", "ac32a", "heur", "alexa", "xtrat", "iframe", "installcore", "win64", "crack", "xrat", "nircmd", "swrort", "agent", "filetour", "cleaner", "patcher", "adload", "wacatac", "riskware", "acint", "conduit", "fakealert", "opencandy", "xtreme", "downldr", "outbreak", "iobit", "rostpay", "dropper", "mediaget", "installpack", "psexec", "occamy", "brontok", "zpevdo", "startpage", "nanocore", "keygen", "fareit", "secrisk", "floxif", "presenoker", "fusioncore", "exploit", "filerepmetagen", "download json", "hostname", "hostnames", "mail spammer", "anonymizer", "firehol proxy", "asyncrat", "genkryptik", "fuery", "webtoolbar", "trojanspy", "dropped", "execution", "contacted urls", "http spammer", "host", "ip address", "site top", "site safe", "blacklist https", "tsara brashears", "kgs0", "kls0", "critical risk", "attack", "hacktool", "installer" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [ "United States of America", "Latvia", "Poland", "Germany" ], "malware_families": [ { "id": "Generic", "display_name": "Generic", "target": null }, { "id": "WebToolbar", "display_name": "WebToolbar", "target": null }, { "id": "TrojanSpy", "display_name": "TrojanSpy", "target": null } ], "attack_ids": [ { "id": "T1110", "name": "Brute Force", "display_name": "T1110 - Brute Force" }, { "id": "T1176", "name": "Browser Extensions", "display_name": "T1176 - Browser Extensions" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 46, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "OctoSeek", "id": "243548", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_243548/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 1117, "FileHash-SHA1": 664, "FileHash-SHA256": 3426, "domain": 977, "hostname": 2269, "URL": 5554, "CVE": 23, "URI": 8, "Mutex": 1 }, "indicator_count": 14039, "is_author": false, "is_subscribing": null, "subscriber_count": 220, "modified_text": "851 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6570a0bc9f2837fed9426cdd", "name": "Apple Music.app (by @kailula)", "description": "", "modified": "2023-12-06T16:26:36.394000", "created": "2023-12-06T16:26:36.394000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "StreamMiningEx", "id": "262917", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 1235, "domain": 324, "hostname": 1559, "URL": 2278, "FileHash-SHA1": 1 }, "indicator_count": 5397, "is_author": false, "is_subscribing": null, "subscriber_count": 109, "modified_text": "865 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://learn.appletvapp.apple", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://learn.appletvapp.apple", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1776639654.4199755 }